You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@avro.apache.org by "Zoltan Csizmadia (Jira)" <ji...@apache.org> on 2023/11/22 14:04:00 UTC

[jira] [Resolved] (AVRO-3874) Bump minimum Newtonsoft version because of severe vulnerability

     [ https://issues.apache.org/jira/browse/AVRO-3874?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Zoltan Csizmadia resolved AVRO-3874.
------------------------------------
    Release Note: AVRO-3986 resolves this.
      Resolution: Duplicate

> Bump minimum Newtonsoft version because of severe vulnerability
> ---------------------------------------------------------------
>
>                 Key: AVRO-3874
>                 URL: https://issues.apache.org/jira/browse/AVRO-3874
>             Project: Apache Avro
>          Issue Type: Improvement
>          Components: csharp
>            Reporter: Zoltan Csizmadia
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.11.4
>
>   Original Estimate: 24h
>          Time Spent: 0.5h
>  Remaining Estimate: 23.5h
>
> Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS).
>  
> https://github.com/advisories/GHSA-5crp-9r3c-p9vr



--
This message was sent by Atlassian Jira
(v8.20.10#820010)